I’m here again and this time to take you through the process of how I solved an easy challenge on tryhackme. In the end, I gained root on the machine.
I received some feedback regarding the text size on my terminal in my last article. It wasn’t big enough. I apologize for it.
I completely forgot that not everyone uses a small font size because I am used to that style of font. And for today’s article, I made the font size bigger.
Let’s dive straight into the challenge.
Challenge name: Cyborg
As usual, the first step is to deploy the machine. Then connect to the same network using OpenVPN or via the attack box in tryhackme. I normally use OpenVPN.
After spinning the machine, the next thing I did was to enumerate the ports and services running on the machine using the following command.
nmap -sV IP_addr
The -p- flag scans all the ports on the machine and it takes time. I would normally run the command without the -p- flag.
As indicated in the screenshot, a web server and ssh are running( port 80 and 22 respectively). Pasting the IP_ADDR in my browser directs me to this page.
The next step to take is to view the page source while automating directory discovery with tools such as ffuf, or gobuster or any other one of your choice. I used both ffuf and gobuster but just ffuf would do for this challenge. I used gobuster to check for php, txt, html etc, extensions with the command:
gobuster dir -u http://IP_ADDR/ -w /usr/share/wordlists/common.txt -t 16 -x php,txt,conf,html
The -u flag is for the ip_address or URL, while the -w flag points to the wordlist used for brute forcing the directories.
As for ffuf, the screenshot below identifies the directories it picked up.
Directories admin, etc, index.html were discovered. Index.html leads to the apache default page. Heading over to the /etc directory and lands on this page.
Hmm, a squid folder? What could be in there? The squid folder contains a passwd and and squid.conf file
Yh, I didn’t need to be told the next thing to do. I open the password and squid.conf file to find anything that may be useful.
I honestly didn’t understand the conf file. Did some research, but came up with nothing tangible. But the passwd seems more like a hash. In order to identify the hash, you can use hashid on the terminal.
Try that on the terminal. You can use it if you intend to use hashcat to crack the password. That way you know the option to use in the cracking process.
However, I used JohntheRipper to crack the hash.
The first step is to copy that username and hash as seen in the image into a file, say hash.txt.
Then use john to crack it as seen in the image below.
Now I’ve gotten a password “squidward”. Normally, I would have begun brute forcing the ssh login with hydra using the usernames I would later discover. But it did not work. So we keep enumerating.
The admin directory displays this page:
Look around the page and test functionalities. View the source code to check for pointers. I didn’t find anything interesting on the source page. So I began viewing other pages on the admin directory.
The admin page gives you some usernames(the ones used to brute force the ssh)
Then I checked the archive. I had the option to listen and to download a file.
And so I downloaded the file and used my terminal to analyze it. It’s a compressed file named archive.tar
using the command “tar -xvf archive.tar” will successfully uncompressed the file.
That creates a home directory in the current directory. I used the tree command to get a better view of the files and folders within the home directory.
Reading through the file you’ll discover they’re encrypted. But there is a README file that directs us to borgbackup.
Initially, I knew nothing about Borgbackups. But with the tons of resources available, plus Youtube videos I was able to get my head around it. The docs didn’t help me much. YouTube did. Check this and this for a more practical application.
After the tutorial, you’ll discover the use of the password hash that was earlier uncovered during the first phase of your enumeration.
So basically, the user backed up his files using borg. Borg let’s you to encrypt the file(s) using a password or other means. That way you can back up the file to any server, whether the server is trusted or not.
To list the backed up files, use the following command:
borg list home/field/dev/final_archive
You can also extract the file using a similar command. In both cases you’ll need to provide a passphrase: squidward
It seems like nothing happened, but when you run the tree command again, you discover another directory named alex in the home directory.
Going through the files and directory, notes.txt stands to be the most interesting and important. In it, we find a username and password in clear text.
You know what to do next. Head straight to the ssh service and test the username and password. And voila, the magic works.
We’ve gotten access to the user “alex”. Print the user.txt to the terminal and submit. I’m now left with the final step of escalating my privilege to a root user.
For this I checked “sudo -l” to list the user’s privilege. I’ll know commands I can run as a root user, and try to exploit it.
As you can see in the screenshot above, I can run a backup script that’s located in the /etc/mp3backups/ folder as root.
Luckily, the file is owned by alex, although I can’t instantly write to the file. But that’s easy with “chmod 770” will do.
Since I can now write to the file, I’ll just open a shell on the first line, so that when the script runs, it first opens the shell as root. I tried that and it worked. Nice!
Definitely, there are other ways around it. This was the first method that came to my mind and it worked.
As always, if you read through to the end, Kudos! And remember not to follow. Yes. Don’t follow me. lol.